On the surface, Myfip is an underachiever that hasn't spread much since it was discovered last year. Look more closely, however, and it's the perfect example of malcode Chinese hackers are using to steal sensitive files from U.S. government networks in the so-called Titan Rain attacks.
"Worms like this don't look like much by themselves, but in the big picture they're part of a larger threat," said Joe Stewart, senior security researcher with Chicago-based security management firm LURHQ Corp. Stewart and other researchers from LURHQ's Myrtle Beach, S.C.-based Secure Operations Center spent months picking the worm apart and recently issued a report on the findings. "Titan Rain is an example of what worms like this can do if focused properly."
Titan Rain is the code name U.S. investigators have attached to the attacks, in which Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information hasn't been taken, officials worry that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary's strengths and weaknesses when pulled together. According to The Washington Post, which broke the story last week, U.S. analysts are divided on whether the attacks are a coordinated Chinese government campaign to penetrate U.S. networks or the handiwork of other hackers using Chinese networks to disguise the origins of the attacks.
Below the radar
Stewart said these kinds of attacks are succeeding because hackers are using worms like Myfip. And the minimal media attention Myfip has received in the past year is a bonus for the bad guys. "It's in these guys' best interests to fly under the radar," Stewart said. "They don't want as many victims as possible. They want the right victims."
According to the LURHQ report, Myfip was first discovered in August 2004. "It didn't get an extreme amount of attention at the time, just a few articles talking about a new worm which stole .pdf files," the report said. "It wasn't terribly widespread or damaging, so it didn't rate very high on the antivirus companies' threat indicators."
Indeed, the researchers found imperfections. Based on the worm's behavior, Stewart said its author didn't appear to be very familiar with corporate firewalls. And there was no clever social engineering involved. But, he said, "Looking at the code itself, there's not a lot wrong with it. Given the right person sending it and more effort in the social engineering, this could be very effective." He said it doesn't take a tremendous amount of skill to construct worms like this, and that cyberspace will see more of its kind in the future.
Myfip and its successors might not spread like a Slammer or Blaster. But since it's designed to quietly go in and lift files from the network, the report said companies that are infected could suffer greatly.
"If the wrong document leaves your network it could have devastating consequences," the report said. "Typically when we think of [data] theft, we think of the 'inside job.' However, it is hard to pin down these types of theft to know when and where and to whom it happens. We just don't know unless the theft is discovered after the fact. But Myfip is tangible; it's here and now, and could affect your network. And Myfip is by no means alone; we've seen over the last year a rash of targeted Trojans which appear to be designed solely for the purpose of intellectual property theft."
Stewart said the proof is in all the high-profile reports of data theft this year from the likes of Bank of America, BJ's Wholesale Club and Lexis-Nexis.
How it gets in and what it steals
Myfip typically arrives in an e-mail, an example of which is in the report that says, "If your employees are suspicious at all, they might notice the poor grammar and avoid opening the attachment. But, if they haven't been quite so diligent installing security updates for Internet Explorer, the embedded IFRAME tag in the e-mail might just go ahead and do the job for them."
Myfip doesn't spread back out via the Simple Mail Transfer Protocol (SMTP). "There is no code in the worm to do this," the report said. "From certain key headers in the message, we can tell that the attachment was sent directly to [users]." One element that stands out is that Myfip e-mails always have one of two X-Mailer headers: X-Mailer: FoxMail 4.0 beta 2 [cn] and X-Mailer: FoxMail 3.11 Release [cn]. Also, it always uses the same MIME boundary tag: _NextPart_2rfkindysadvnqw3nerasdf. "These are signs of a frequently-seen Chinese spamtool…," the report said.
When it runs, the worm sets up a few registry keys "to ensure that it will start at every boot," the report said. "For the most part, they have remained constant, so this is an easy way to spot a Myfip infection that might have already occurred on a machine."
The original Myfip only stole .pdf files. But Myfip-B and later variants steal any files with the following extensions:
- .pdf - Adobe Portable Document Format
- .doc - Microsoft Word Document
- .dwg - AutoCAD drawing
- .sch - CirCAD schematic
- .pcb - CirCAD circuit board layout
- .dwt - AutoCAD template
- .dwf - AutoCAD drawing
- .max - ORCAD layout
- .mdb - Microsoft Database
"We can see that the Myfip author is now looking for Word documents and several types of CAD/CAM files," the report said. "This is the core of where many companies' intellectual property resides. We could liken these files to the crown jewels in many cases. And, of course, if you're going to steal a company's product designs, you might as well take their customer list or any other databases that might be lying around in .mdb files."
The China connection
Stewart said his team was easily able to trace the source of Myfip and its variants. "They barely make any effort to cover their tracks," he said. And in each case, the road leads back to China. Every IP address involved in the scheme, from the originating SMTP hosts to the "document collector" hosts, are all based there, mostly in the Tianjin province.
How far has Myfip's reach been so far? While Stewart believes its impact has been limited, he said it's difficult to come up with a specific number of infections. "Nobody's willing to come forward and say they've been infected, so that makes it hard," he said. "No one wants to admit their intellectual property has been stolen."
He said it's also hard to measure the spread because "AV companies will get something like this, update its signatures and move on."
In the battle against Myfip and worms like it, Stewart said companies have to do everything they normally do to keep viruses out. IT administrators should also discourage widespread use of instant messaging programs, which have become increasingly popular in the corporate world. "IM could be a bigger problem in the future," he said. "We really encourage clients not to use IM to send to the outside and receive from the outside."
He said a little paranoia doesn't hurt, either. "Companies really need to be paranoid about the attachments people can open," he said. "They really need to make their users aware of the social engineering that can be used to trick them into opening infected files."
If enterprises don't take the threat seriously, he said attacks like Titan Rain will be repeated over and over again.